[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Xen Security Advisory 475 v2 (CVE-2025-58147,CVE-2025-58148) - x86: Incorrect input sanitisation in Viridian hypercalls



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

     Xen Security Advisory CVE-2025-58147,CVE-2025-58148 / XSA-475
                               version 2

       x86: Incorrect input sanitisation in Viridian hypercalls

UPDATES IN VERSION 2
====================

Public release.

ISSUE DESCRIPTION
=================

Some Viridian hypercalls can specify a mask of vCPU IDs as an input, in
one of three formats.  Xen has boundary checking bugs with all three
formats, which can cause out-of-bounds reads and writes while processing
the inputs.

 * CVE-2025-58147.  Hypercalls using the HV_VP_SET Sparse format can
   cause vpmask_set() to write out of bounds when converting the bitmap
   to Xen's format.

 * CVE-2025-58148.  Hypercalls using any input format can cause
   send_ipi() to read d->vcpu[] out-of-bounds, and operate on a wild
   vCPU pointer.

IMPACT
======

A buggy or malicious guest can cause Denial of Service (DoS) affecting
the entire host, information leaks, or elevation of privilege.

VULNERABLE SYSTEMS
==================

Xen versions 4.15 and newer are vulnerable.  Versions 4.14 and older are
not vulnerable.

Only x86 HVM guests which have Viridian enabled can leverage the
vulnerability.

With the `xl` toolstack, this means any `viridian=` setting in the VM's
configuration file.

Note - despite:

  `viridian=["!hcall_remote_tlb_flush", "!hcall_ipi", "!ex_processor_masks"]`

being documented to turns off the relevant functionality, this
configuration does not block the relevant hypercalls.

MITIGATION
==========

Not enabling Viridian will avoid the issuse.

CREDITS
=======

This issue was discovered by Teddy Astie of Vates

RESOLUTION
==========

Applying the appropriate set of attached patches resolves this issue.

Note that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball.  Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.

xsa475-?.patch           xen-unstable - Xen 4.20.x
xsa475-4.19-?.patch      Xen 4.19.x - Xen 4.17.x

$ sha256sum xsa475*
25ba4933e4cf94e81d192f3ba522ec7b258c6e69015a43d169b0325e61957f42  xsa475-1.patch
d012541f99c69279b30554e8ea7a7da2790aaa6ff81b0d597f305e4498391369  xsa475-2.patch
6b820b116418e6fd376b6d23ede589e4f86fea4ea775e9afb5c631ceba44d05f  
xsa475-4.19-1.patch
f94b48392179bc08f412ead900a91299ef3a27a6dd4f5fdcf7a152fd65d3a02b  
xsa475-4.19-2.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches (but not mitigations) described above (or others
which are substantially similar) is permitted during the embargo, even on
public-facing systems with untrusted guest users and administrators.

This is because the mitigations are guest visible changes, and hence could
give hints to users about the upcoming vulnerabilities.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmj3daEMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZnvgIAJzU/Bczr7/Gj3pIqop+rgDsoLw/PU2tGkwhumJQ
0lICxaHWlqrk8cL0y+Ll0nQV4DTwoZbhSm9Bz3S9ZKo6/Qby9YZzo0Tyt9U2OxNU
YTpiYGSwrSlCs8cpfj4gwKGzEZ0nNTBTVbAa9UfqIYcvNF4j/L0Tnl6cJOZ/xNhh
8BoH02j+vCF8B8ZInutJjHhKPtrmDta0/md9R4Ydrx4OrLlAoYA4hKnkOuBWfhHg
amL1aJ3vk9kNNkP6sO19Vnp5KTawnLGZwN95+FDlDGuh8n8ixKfURvZ9eK8Ycfir
naItP4wBkFC9ukzlvGtkwoHPDspxKjtFTYfNvVNvoV6JOWc=
=oSQZ
-----END PGP SIGNATURE-----

Attachment: xsa475-1.patch
Description: Binary data

Attachment: xsa475-2.patch
Description: Binary data

Attachment: xsa475-4.19-1.patch
Description: Binary data

Attachment: xsa475-4.19-2.patch
Description: Binary data


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.